Question : Why are wireless clients connected to a captive portal SSID not getting an IP if they disconnect and re-connect in quick succession?
Environment Information : Any Aruba OS
Any Aruba AP
Any Aruba Controller
Symptoms : Working wireless clients unable to get an IP if they disconnect and reconnect to wireless. If we clear the user entry using "aaa user delete mac <user-mac>", the user will be able to connect and get an IP address fine.
We keep the L3 entry (user-table) of the user until the expiry of the timer "User Idle-Timeout". This is 5 minutes by default. Hence if an authenticated captive-portal user disconnects from wireless and quickly reconnects within 5 minutes (say) then the user is punted to the post-auth role on the Controller. If post-auth role is restrictive enough then we can potentially block DHCP and hence prevent user from getting an IP address.
If a captive portal authenticated user disconnects from the wireless and reconnects within the "user idle-timeout" period (default 5 minutes), then the will be pushed directly to post-authentication role on the Controller. However the user will still need to either renew its IP address or get a new IP address from DHCP. This user attempt to acquire a new IP or renew its IP address, will fail if DHCP is blocked in the post-authenticated role. Hence we can resolve this issue by allowing DHCP on the post-authenticated role.
For the duration of idle-user timeout (default is 5mins), we remember the user IP (L3) entry for authenticated users on the Controller. This is especially useful for captive portal authenticated users that re-connect to the wireless within a short time so that they do not need to re-authenticated at the captive portal page again. If an authenticated user disconnects from wireless and reconnects within the configured "user idle-timeout" then we will pushed the user directly to post-authentication role.
Now, since the user disconnected from wireless and re-connected, it will try to do a “DHCP DISCOVER”. We hence need to allow “DHCP” on the post-authenticated role to allow user to get an IP address this time.
Consider a user in post-authenticated role "webaccess".
Configuration before change:
(Aruba)# config term
(Aruba) (config)# ip access-list session WebAcc
(Aruba) (config-sess-WebAcc)# any any svc-dhcp permit position 2
(Aruba) (config-sess-WebAcc)# write mem
Configuration After Change:
Note: Please note that the issue of users not getting an IP after reconnection to wireless might be exacerbated in cases where the user idle-timeout is a higher than the default value.